WhatsApp ships with almost every profile field visible to everyone who has your phone number. A stranger, a spammer, or someone who pulled your number from a leaked database can see your profile photo, your About text, and exactly when you last opened the app — before they send you a single message. The WhatsApp privacy settings to change are all sitting in the Privacy menu, and most users never open it.
I found this out after an unknown number sent me an unsolicited sales pitch, having clearly already viewed my profile photo before writing. A five-minute check of Settings > Privacy closed every gap I could find. The single most important insight: WhatsApp privacy settings default to permissive on purpose, and locking them down costs you nothing in normal day-to-day use.
Quick Answer
Open WhatsApp, go to Settings > Privacy, and set Last Seen, Profile Photo, About, and Status to “My Contacts.” Turn off Read Receipts. Set Groups to “My Contacts.” Go to Account > Two-step verification and create a 6-digit PIN. Return to Privacy and enable App Lock. All eight changes take under five minutes.
Why Are WhatsApp’s Default Settings a Privacy Risk?
WhatsApp’s end-to-end encryption protects what you send in transit — that part is genuinely strong. What encryption does not protect is your profile metadata. Your photo, Last Seen timestamp, About text, and online status are all readable by any phone number that has yours, even if you have never interacted. Spam networks use this data to confirm which numbers are active and build target profiles. WhatsApp’s privacy policy confirms it collects usage metadata visible to users who have your number. Changing your Privacy settings is the only lever you control here.
WhatsApp encrypts your messages but leaves your profile metadata open to anyone with your number — only the Privacy settings menu changes that.
Which Visibility Settings Should You Change First?
These four settings are all in WhatsApp > Settings > Privacy and take one tap each to update.
| Setting | Default | Recommended | What It Stops |
|---|---|---|---|
| Last Seen & Online | Everyone | My Contacts | Hides your activity pattern from unknown numbers |
| Profile Photo | Everyone | My Contacts | Shows a grey silhouette to non-contacts |
| About | Everyone | My Contacts | Removes your bio from public view |
| Status | My Contacts | My Contacts (verify) | Confirms this has not been reset by an app update |
Last Seen and Online Status
This setting has two separate dropdowns — Last Seen and Online — and both default to “Everyone.” Set both to “My Contacts.” Unknown numbers see a dash instead of a timestamp. Spam operations actively use Last Seen patterns to verify a number is live before targeting it; this one change removes you from that check entirely.
Profile Photo and About
Set both to “My Contacts.” Phrases like “Mum of two, Bristol” in your About text hand free profile-enrichment data to anyone who finds your number. A grey silhouette replaces your photo for non-contacts, which also stops cold-callers from confirming they have reached the right person before they message you.
Pro tip: After changing Profile Photo to “My Contacts,” ask a friend whose number you have not saved to look you up. They should see only a grey silhouette — no photo, no About text, no Last Seen.
Setting Last Seen, Profile Photo, and About to “My Contacts” immediately removes your personal data from anyone who has your number but is not in your address book.
Which Messaging and Group Settings Matter Most?
Read Receipts — Setting 5
Go to Privacy > Read Receipts and switch it off. Blue ticks no longer turn blue when you read a message. The setting is mutual — you also stop seeing read receipts from other people in one-to-one chats. I have had this off for over a year and have never wanted it back on. It removes the pressure to reply the instant you open a message.
Groups — Who Can Add You — Setting 6
Under Privacy > Groups, change “Who can add me to groups” to “My Contacts.” Anyone not in your address book now receives an invitation link instead of adding you directly. Bulk spam groups target fresh numbers by adding them automatically using the default “Everyone” setting; switching to “My Contacts” stops this cold.
Troubleshooting tip: If a genuine contact says they cannot add you to a group after this change, check that you have their number saved in your phone. WhatsApp defines “My Contacts” from your device address book, not from your chat history, so unsaved numbers are treated as strangers even if you message regularly.
Turning off Read Receipts and restricting group adds to “My Contacts” removes two of the most-exploited WhatsApp defaults without affecting any of your normal conversations.
How Do You Lock Down Your WhatsApp Account Against Takeovers?
Two-Step Verification — Setting 7
Go to Settings > Account > Two-step verification > Enable. Create a 6-digit PIN. WhatsApp requires this PIN whenever your number is re-registered on a new device — the exact step a SIM-swap attacker would take after porting your number to their SIM. Without the PIN, the hijacked SIM is useless for accessing your account. Add a recovery email on the same screen so a forgotten PIN does not trigger a seven-day re-registration lockout.
App Lock — Setting 8
Go to Settings > Privacy > App Lock (Android) or Privacy > Screen Lock (iPhone) and enable biometric unlock. This stops anyone who picks up your unlocked phone from opening WhatsApp and reading your messages. It is a different threat layer than Two-Step Verification — one protects remote access, the other protects physical access.
Two-step verification stops remote account hijacking; App Lock stops physical access by someone holding your unlocked device — both layers address different real-world risks and are worth enabling together.
What Common Mistakes Make These Changes Less Effective?
1. Choosing “Nobody” instead of “My Contacts” for Last Seen
“Nobody” hides Last Seen from your real contacts too, which creates friction in personal relationships. Fix: Use “My Contacts” as the practical middle ground unless you have a specific reason for complete invisibility.
2. Skipping the recovery email for Two-Step Verification
Without a recovery email, a forgotten PIN means a seven-day re-registration lockout. Fix: Add your email address immediately after enabling Two-Step Verification — it takes ten seconds.
3. Reusing your phone’s lock-screen PIN
If someone already knows your device PIN, using it for Two-Step Verification defeats the purpose entirely. Fix: Choose a different 6-digit number that you do not use anywhere else.
4. Never rechecking settings after app updates
WhatsApp adds new settings at permissive defaults. A separate “Online Status” control appeared in a 2023 update — I nearly missed it and it had been set to “Everyone” the whole time. Fix: Run a five-minute Privacy review after every major WhatsApp update.
5. Leaving Live Location running after you no longer need it
Live Location does not expire automatically unless you chose a time limit when you started sharing. Fix: After any navigation session or meet-up coordination, tap the active location in the chat and select “Stop Sharing.”
Frequently Asked Questions
Does changing Last Seen also change who sees my Profile Photo?
No — each setting has its own toggle. Changing Last Seen to “My Contacts” does not affect Profile Photo; you need to set them individually under Settings > Privacy. I always go through the list from top to bottom so I do not skip one by accident.
If I turn off Read Receipts, can I still see when others read my messages?
No — the setting is mutual. Turning it off means neither you nor your contacts see read receipts in one-to-one chats. Group chats are an exception: delivery and read tallies for your own group messages still appear regardless of your personal Read Receipts setting, because group receipts follow the sender’s preference.
What happens if I forget my Two-Step Verification PIN?
WhatsApp blocks re-registration for seven days if you cannot supply the PIN and have no recovery email. After seven days the PIN requirement is waived, but WhatsApp sends a warning email if you added a recovery address — which means you can detect an unauthorized re-registration attempt even while locked out.
Can I block all group add requests entirely?
Not entirely, but “My Contacts Except…” lets you build an exclusion list for specific numbers. Anyone outside your contacts gets an invitation link rather than an automatic add. I use “My Contacts” across the board and have not received an unsolicited group add since making the change.
Does end-to-end encryption make these settings unnecessary?
No. End-to-end encryption protects message content in transit. It does not protect your profile photo, Last Seen timestamp, or About text — those are visible metadata that anyone with your number can access. These privacy settings operate at the metadata layer that encryption does not cover.
How often should I review my WhatsApp privacy settings?
I check mine every three to six months, or right after a major WhatsApp update. New features tend to launch with permissive defaults. Doing a five-minute review after each update has caught two new open-by-default fields on my account over the past year.
Conclusion
These eight WhatsApp privacy settings — Last Seen, Profile Photo, About, Status, Read Receipts, Groups, Two-Step Verification, and App Lock — take five minutes to lock down and immediately stop strangers from building a profile on you before they have sent a single message.
If you want to protect your chat history before making changes, start by backing up your WhatsApp messages first. For a full device-level audit, my guides on iPhone privacy settings worth changing and Android privacy settings that stop app tracking cover the next layer.